WLW+AtomPub, Part 2: Authentication

19Oct07

Summary: Use Basic, Digest, or X-WSSE over HTTP or HTTPS (with a valid, signed certificate), and we should be fine.

For AtomPub, Windows Live Writer uses regular RFC2617 HTTP authentication. We make an initial request without credentials, and expect the server to return a 401 response code if required. We do not preauthenticate.

At least one major blog provider returns an error code of 500 with a plain text response body saying “Authentication required”. That won’t work with WLW.

The authentication schemes we definitely support are Basic, Digest, and X-WSSE. It so happens that we are using the HTTP libraries that are built into .NET, and the docs claim support for Negotiate, Kerberos, and NTLM as well, so they may work–but these are not tested/supported scenarios and may not work. I would encourage server implementers to stick to one of the above if possible.

HTTPS is of course supported, although you need to have a valid certificate that is signed by a trusted CA. (I may not be describing that exactly right, but hopefully you get what I mean–if a browser would warn the user about it, we won’t connect to it.) I did put in a workaround you can use to force Writer to use invalid/self-signed certificates, but I won’t share that information in a public forum–get in touch with me directly if you really need to do that.

We don’t support more exotic auth schemes like Google auth (unless you are configuring a Blogger blog), OAuth, OpenAuth, etc. I think WordPress has some kind of cookie-based auth (in addition to Basic); we don’t support that. If any of these are important to you, please let me know.

Hey Joe. Thanks for the info in this post. Can you drop me a line about that workaround with self-signed certificates? I’m trying to prove something with a system I’m trying to get WLW to work with, it’s currently reporting an SSL/TLS error.

Hi Joe,
Could you get in touch with me about the work around? I am working on a dev box that I would like to test on before pushing it out to a box that we have bought a certificate for. Also is there a workaround to force pre-authentication? Our live site uses a redirect in place of the 401 error.